| Summary: | selinux prevents chromium from starting | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | cornel panceac <cpanceac> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dominick.grift, dwalsh, mgrepl, samuel-rhbugs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.7-46.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-30 00:34:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Fixed in selinux-policy-3.9.7-46.fc14.noarch selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14 Package selinux-policy-3.9.7-46.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14734 then log in and leave karma (feedback). selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: after updating chromium browser, selinux prevents it from starting. Version-Release number of selected component (if applicable): $ rpm -q selinux-policy selinux-policy-3.9.7-44.fc14.noarch $ rpm -q chromium chromium-14.0.835.186-1.fc14.i686 How reproducible: always Steps to Reproduce: 1.attempt to start chromium browser from menu (or from command line) 2. 3. Actual results: chromium does not start Expected results: Additional info: watching tail -f /var/log/messages i could see this kind of message: Oct 12 18:13:15 otp-cpanceac-l1 kernel: [ 6026.209887] type=1400 audit(1318432395.873:7): avc: denied { execmod } for pid=4427 comm="chromium-browse" path="/usr/lib/chromium-browser/chromium-browser" dev=sda5 ino=3016262 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file abrt gui doesn't show up reporting the application was blocked but i've noticed that setenforce 0 allows chromium to start. if it's started, it works fine even after setenforce 1 On one system i've fixed it in two steps: first sealert -l eb8e8127-2771-4dfc-9918-d0c158cbe109 semanage fcontext -a -t textrel_shlib_t '/usr/lib/chromium-browser/chromium-browser' restorecon -v '/usr/lib/chromium-browser/chromium-browser' then grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp